Hacking Ring Nabbed By US Authorities

Slatterz writes "The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged. The case before the US Department of Justice is believed to be the largest hacking and identity theft case ever prosecuted. The criminals allegedly obtained bank details by hacking into the retailers' computer networks and then installing 'sniffer' programs to capture card numbers and password details as the customers moved through the retailers' credit and debit processing networks."

Dupe, n'est pas?

http://yro.slashdot.org/article.pl?sid=08/08/05/1916237

Re:Dupe, n'est pas?

Ceci n'est pas un dupe, n'est-ce pas?

Re:Dupe, n'est pas?

[alx5000]

Ceci n'est pas une dupe

will there be changes?

[CaptainNerdCave]

are security measures going to be changed with this revelation to the public? having seen the inner-workings of various bank and investment facilities, i can safely say that one doesn't need to go through any really complicated work to take financial information from consumers: most wiring closets aren't even locked.

Re:will there be changes?

[El_Muerte_TDS]

are security measures going to be changed with this revelation to the public?

Of course not. After all, they caught the people that abused it. Why waste money to protect something from criminals when the criminals were already caught. Nobody would dare to try it again.

Re:will there be changes?

[Strilanc]

I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.

I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].

For example, to complete a transaction, a store asks you to sign this:
[
      VISA Credit Transfer
      "here's a one-line ad because we just can't help it!"
      amount: 12.34$us
      buyer: John Doe
      seller: Matt's Grocery Store
      date: August 7, 2008
      buyer public key: 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0
      seller public key: 4B 3D BA 71 3B D8 56 43 2B A7 E8 F4 69 CA C5 5A
      seller transaction id: 594864purplebunnies
      protocol version: 1
]
Then the store also signs it, and sends it and the signatures to VISA, or whoever.

The beauty here is that the security is now entirely encapsulated in a) the signing device, and b) the plaintext format for requesting credit.

In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.

I'm sure there are holes, but it's a hell of a lot better than what we have now.

Re:will there be changes?

[dsginter]

are security measures going to be changed with this revelation to the public?

If they secured credit cards so that there was no fraud, then how would the providers justify their exorbitant fees?

Re:will there be changes?

[timmarhy]

what, they justify them now?

Re:will there be changes?

already done, patented and on the way for deployment (at least in Switzerland):

http://www.zurich.ibm.com/ztic/

Re:will there be changes?

[Iamthecheese]

hash clash

Re:will there be changes?

[kabocox]

In the example I have given the buyer only has to check that the amount is correct because all other modifications give them free groceries. The store only needs to ensure they match the format specified by VISA, and that the buyer's signature is valid. VISA takes most of the work, checking that the format is correct, the signatures are valid, the transaction id is unique for the seller, the buyer has enough credit, etc.

I'm sure there are holes, but it's a hell of a lot better than what we have now.

I'm surprised that we even still use signatures now. It seems like no cashier actually looks at them, or could tell if there is even a difference. There is a strong part of me that would like the credit/debit card industry to add various biometrics that would at least be scanned by a machine so we'd actually have some ID verification other than the damn PIN number.

I think that the credit card companies are stuck at the moment. They'd like to actually throw out a few more security measures, but it would cost retailers money to add the biometric scanners. We could end alot of ID theft if a finger print was required to be sent with each purchase. If some one stole your card, they'd also have to have a means to forge your finger prints to use it most places. It won't stop these professionals as they'd figure out ways around any system in a few months, but for all the less casual ID thefts that go on, it would make detecting ID fraud and criminals far, far easier.

Re:will there be changes?

[bberens]

Or you could.. ya know.. discover that there's vulnerabilities inherent in the system and just use cash instead. Using cards (even debit) causes price inflation. Cash is king.

Re:will there be changes?

[mgblst]

Just like in the cartoons.

Re:will there be changes?

[gardenwall2]

You're correct about the wiring closets. How many have additional items, such as janitorial and office supplies stored in the same location? As a result, the staff says it's "too hard" to keep the door locked. Not to mention the risk of social engineering. How many employees would really question anyone appearing on site that looked "official" - in retail locations, not just financial.

Re:will there be changes?

[that+IT+girl]

Well obviously... I mean, look at what happened when they enacted the death penalty for murder. Nobody ever did that again...

Re:will there be changes?

I look forward to carrying around hundreds of dollars until I look like a drug kingpin so I can buy groceries, get my oil changed, etc. First thing I'd have to do is buy a can of mace for the muggers.

Buying something like a flat screen TV would be fun, "$100, $200, $300...".

Re:will there be changes?

[The+FNP]

Gives new meaning to hash cash.

there fixed that for you.

--The FNP

Re:will there be changes?

[gcatullus]

Will not happen because credit card companies are NOT The ones on the hook for the losses. The charade of PCI compliance has foisted all responsibility back to the merchant. The Visa/Mastercard cartel actually make MORE money from fraud because there are many more transactions, and they profit from every single transaction. Visa/mastercard took approximately $40 Billion last year in interchange fees, this is in addition to any customer interest or late penalties. They have no incentive to change and teh merchants (other than say Walmart) are in no position to quibble with them.

Re:will there be changes?

[Strilanc]

There's a demand for credit cards, people aren't going to "just use cash". Not to mention cash doesn't work nearly as well as credit over the internet. The idea is to fix the system, not throw it out.

Re:will there be changes?

[tlhIngan]

I'm surprised that we even still use signatures now. It seems like no cashier actually looks at them, or could tell if there is even a difference. There is a strong part of me that would like the credit/debit card industry to add various biometrics that would at least be scanned by a machine so we'd actually have some ID verification other than the damn PIN number.

Actually, it's a misconception that the signature has meaning to the retailer if they match. If you look at the slip you sign, it says something to the effect of "I agree to pay this debt according to the terms of the cardholder agreement" or similar.

SIgning your card is an indication that you accept the cardholder agreement (i.e., the card is valid). Technically, a store can refuse to accept any card that is unsigned, says "CHECK ID" or similar because those cards are invalid (because you haven't indicated you accept the cardholder agreement, which covers things like... repayment of debt). The slip is used to indicate that you, the cardholder, will pay the issuer the amount listed, who will then pay the merchant that amount.

During a dispute, the best proof a merchant has is the signed slip. What makes life interesting are those places where signing the slip isn't necessary (e.g., some for transactions under $25).

Re:will there be changes?

[blitzkrieg3]

128 bit key

2^128 = 3.40282367*10^38 posibilities

Hash clash with that many posibilities? I don't think so.

Re:will there be changes?

Right because walking around with $3,000 in cash to buy a new TV is such a brilliant fucking idea.

Re:will there be changes?

Or you could.. ya know.. discover that there's vulnerabilities inherent in the system and just use cash instead.

Or I could just check my bill each month and dispute any charges I don't recognize. I love cash too and always use it for small purchases, but I love my CC just as much. Feel free to pay cash and help fund my 1% cash back.

Re:will there be changes?

[rujholla]

How do you handle online transactions would each person have to have biometric equipment attached to thier computer?

Re:will there be changes?

[blair1q]

Or you could.. ya know.. discover that there's vulnerabilities inherent in the system and just use cash instead. Using cards (even debit) causes price inflation. Cash is king.

But your cash is counterfeit. Please step to the side and speak with the nice policeman. Thank you.

Re:will there be changes?

[ohzero]

Oh yes, lets do that immediately. I can't think of anyone i'd like to have my fingerprint more than Visa and its 500 service providers. The credit card companies barely care about the issue at all actually. This is why they force the onus onto all the acquiring banks and SPs, and the acquiring banks force it onto the merchants. There has been a zero sum when it comes to investigation of a method for wholesale change to the way credit and debit are processed mostly because the view of the stakeholders is that its not truly broken. All the money spent on PCI-DSS and subsequent offshoots like PA-DSS is a waste. What the brands and the SSC should have chartered was a bunch of MIT math people to figure out how to practically take large amounts of data and redistribute it in a format that isn't completely retarded.

Re:will there be changes?

[bberens]

Let's see, the odds of getting mugged on the drive from my bank to Best Buy are approximately one in a billion. The odds of having my identity stolen with regular/liberal use of credit/debit cards is about 100%. And let's be honest, only a fraction of a percent of purchases are over the $1k mark.

Re:will there be changes?

[The+Snowman]

...i can safely say that one doesn't need to go through any really complicated work to take financial information from consumers...

This week I personally stopped what could have been a major breach of credit card security. My company works for retail companies, and one of our clients emailed us a transaction log containing full credit card data for a day's worth of transactions. I don't mean masked data, times, etc. I mean full numbers, expiration dates, CCV numbers, names, everything. They just handed it to us (without us asking) to help us fix a bug in some software. I promptly informed my security manager, and after he was done shitting a brick, he quickly fixed the situation as best we could to include scrubbing data from the email servers.

In this case the client just handed us the data. No hacking necessary. If anyone at my company were evil or at least easily tempted they could have gotten away with a huge amount of fraud. I wonder how often situations such as this occur. People not paying attention, or maybe dealing with financial information and not being aware of PCI-DSS requirements or federal law.

Re:will there be changes?

[The+Snowman]

I'm going to go out on a limb and say the core of the problem isn't the security of the computers, it's the fact that in order to use a credit card number you have to reveal it. There will always be some retailer or customer without a secure system. _We can't change this, it's too hard_.

Bullshit. Banks certify payment systems before allowing retailers to authorize through them. For smaller operations they may delegate to a payment processor that certifies devices on the network, such as mom and pop stores that use a pinpad/MSR separate from the POS. In any event, the device that handles credit/debit input must be certified by the bank.

I think the solution is a small device with an embedded secret key. All it has to do is sign data [secondary: show text, wireless, usb, etc].

This is already standard with Canadian debit. The device itself adds a MAC (message authentication code) to the core data in a message (account number, PIN, etc) and the message is encrypted. This validates that the originating device is in fact a certified device (the MAC keys are on file at the bank similar to a CA) and it helps detect fraud and hacking, even if it cannot protect against it completely. In the U.S. the communication is encrypted but there is no requirement to MAC a message or to provide for device-based security quite to the extent there is in Canada. Also note this is Canadian debit, not credit. However, the means are in place and the technology is live, right now.

Re:will there be changes?

[rriven]

Even if the bank changes, the retailers wont. when I first started working at my job (Satellite Retailer) I noticed that the computers had out of date antivirus and everyone logged in as Admin.

I went to the big 3 antivirus online scanners and all of them found KEYLOGGERS, Trojans, etc. luckily my boss knew I was computer smart and let me wipe all the office computers and force everyone to log in as users. Only him and I know the admin passwords.

The worst part is that being in Satellite sales we had to handle CC and Social Security Numbers. So far no customer has contacted us so hopefully I caught it right after it happened

He also let me block myspace and a few other sites like that.

Re:will there be changes?

[petermgreen]

Afaict all you need to put a transaction through is the card number, other stuff helps if the transaction is challanged but afaict is not needed to put the transaction through.

All the information most online retailers ask for is either printed on the card or availible to anyone who knows or stalks the victim. The pin is only used for face to face transactions (which helps keep it secure but also means it is no help in many situations).

Also the chips aren't particularlly reliable. So at least in the uk if you fuck up the chip most stores will let you put the transaction through as swipe and sign.

Hacking?

[houghi]

Dear editor,

You use the word hacking, but I don't think it means what you think it means.

On all other laces I would let it slide by, but this is /. and yes I blame the editor, because (s)he should, uh, edit the stories.

Re:Hacking?

[srjh]

hacking (uncountable)

1. (computing) Unauthorized attempts to bypass the security mechanisms of an information system or network.

Hack

...4b: to gain access to a computer illegally

You may prefer to use other definitions yourself, but the usage here is perfectly correct.

Re:Hacking?

[BPPG]

You can bet hackers didn't write those definitions. Those definitions are accurate in the context of mainstream media, but as the GP stated, this is /.

Re:Hacking?

This is SLASHDOT!!!

kick to the chest

Re:Hacking?

[pegdhcp]

Provided that this is still the /. that we all know, this should not be necessary, but one may never be sure about the level of truth...

Re:Hacking?

[srjh]

Troll?

Ouch, looks like I hit a nerve...

Re:Hacking?

[Dramacrat]

The quote the immortal words of our Imam: "Nowadays, it is claimed that the Chinese and even WOMEN are hacking things. Man, am I ever glad I got a chance to experience "the scene" before it degenerated completely. And remember, kids, knowing how to program or wanting really badly to figure out how things work inside doesn't make you a hacker! Hacking boxes makes you a "hacker"! That's right! Write your local representatives at Wikipedia/urbandictionary/OED and let them know that hackers are people that gain unauthorized access/privileges to computerized systems! Linus Torvalds isn't a hacker! Richard Stallman isn't a hacker! Niels Provos isn't a hacker! Fat/ugly, maybe! Hackers, no! And what is up with the use of the term "cracker"? As far as I'm concerned, that term applies to people that bypass copyright protection mechanisms. Vladimir Levin? HACKER. phiber optik? HACKER. Kevin Mitnick? OK, maybe a gay/bad one, but still WAS a "hacker." Hope that's clear."

Re:Hacking?

Dear hackers,

You can't own a word. Get over it.

Re:Hacking?

[Yetihehe]

Don't try to correct the editors. Instead, try to correct yourself. Remember - there is no dupe.

Re:Hacking?

Hence why I browse at -1. Posted anonymously for obvious reasons.

Re:Hacking?

[Sophia+Ricci]

He is just doing 'identity theft' of hackers.

Re:Hacking?

[I+cant+believe+its+n]

Word to your mom.

Re:Hacking?

[houghi]

The price for correcting the Editors is being moderated as a troll, apparently.

Re:Hacking?

[I+cant+believe+its+n]

... or as Bill Gates mother would put it:
"Word to your mom?"

Re:Hacking?

[mixmatch]

Maybe because you are ignorantly trying to say that because they are black hats they should not be called hackers. The term hacker can be appropriately used to describe anyone with above-average knowledge on a subject and a desire to explore and tinker, usually outside the confines of what is expected or desired. Maybe you can educate yourself a little better before complaining on slashdot, Try reading some Kevin Mitnick, Michal Zalewski, or if nothing else Wikipedia.

Re:Hacking?

[Stormie]

Provided that this is still the /. that we all know, this [catb.org] should not be necessary

Trust me, linking to Eric S. Raymond's tiresome ramblings should never be necessary.

Re:Hacking?

[dkleinsc]

Shouldn't that be "boot to the head"?

Re:Hacking?

[Dekker3D]

now that's just madness

Re:Hacking?

Why do they always have to take words and use them for their own purposes...Free, hack...

stupid OSS fanatics

Re:Hacking?

[dunkelfalke]

hacking comes from german "hacken" which means to chop, so a hacker is actually a lumberjack (and is okay).

Re:Hacking?

Real nerds yell //.. !

Re:Hacking?

"hack writer" is first recorded 1826, though hackney writer is at least 50 years earlier.

http://www.etymonline.com/index.php?term=hack

Re:Hacking?

[BronsCon]

there is no dupe.

There is new dope? Where?!

Re:Hacking?

[Born2bwire]

You mean to tell me that the accepted definition in mainstream dictionaries is based upon the usage of the word in the mainstream media and the everyday vernacular? Inconceivable!

Re:Hacking?

[Apathy451]

Slightly offtopic, but the most recent word screw-up that's been bugging me:

vegetarian (http://dictionary.reference.com/browse/vegetarian)
1. a person who does not eat or does not believe in eating meat, fish, fowl, or, in some cases, any food derived from animals, as eggs or cheese, but subsists on vegetables, fruits, nuts, grain, etc.

pescetarian (http://dictionary.reference.com/browse/pescetarian)
1. a vegetarian who will eat fish

Defining a pescetarian as a vegetarian who eats fish is like defining a slut as a virgin who fucks.

Re:Hacking?

[ohzero]

My time machine must be broken. I think im listening to an argument from 1990....

Re:Hacking?

Thats what you say, n00b.

More details

[hattable]

If you felt a little cheated by the lack of info in the 'article' the DOJ site has more.

Re:More details

[p0werhouse]

Thats exactly what I wanted! Thanks. I also heard TJMax might go under as a result of this. They have already lost millions to lawsuits.

Re:More details

From that FA:

"Criminal informations were also released today in Boston on related charges against Christopher Scott and Damon Patrick Toey, both of Miami."

Informations? The DOJ can't find a person who knows basic English to write their PRs?

Re:More details

[maglor_83]

They only know legalese.

Re:More details

those damn Legali immigrants.

Re:More details

[consonant]

As does Ars..

Re:More details

If you felt a little cheated by the lack of info in the 'article' the DOJ site has more.

US Department of Justice website is down. could it be that too many users from slashdot trying to visit overloaded their website?

www.usdoj.gov

11 Timed out Destination network unreachable Timed out

Re:More details

Thats exactly what I wanted! Thanks. I also heard TJMax might go under as a result of this. They have already lost millions to lawsuits.

Lawsuits? They could lose millions from reversed charges alone, without any lawsuits.

Re:More details

[deblau]

http://en.wikipedia.org/wiki/Information_(formal_criminal_charge)

wireless registers

[p0werhouse]

I heard that they went around to stores using wireless networks to process purchases at checkout. Basically any store that thought they were being high tech by using wireless registers. Guess they forgot to encrypt the data...anyone have a better link?

Re:wireless registers

[hattable]

In whatever newspaper I read about this in, they said that it was sent to the server with WEP, but I'm sure that took them what, a whole 20 minutes to break. They just backdoored the reception system so they didn't just get the card numbers that were being used in that store, but in all of whatever chain of stores.

indictment links

[ya+really]

Links to the indictments of the top two suspects:

suspect 1
suspect 2

Better Article

[FSWKU]

http://news.bbc.co.uk/2/hi/business/7545212.stm has a much better write-up.

So now we will get even MORE draconian measures to stop the "evil hackers" when in reality, it was a combination of bad intentions, and old-fashioned stupidity. The article specifically mentions looking for "vulnerable" access points. This means that whoever set the network up for these stores did not do a proper job in securing said network. Also, why the HELL were the systems used to process credit card transactions on the same insecure wireless network? There is NO excuse for that. I'm not excusing what these guys did, but once again we have a case where whoever setup the hardware in these places needs to be held for criminal negligence.

Re:Better Article

[elnico]

whoever setup the hardware in these places needs to be held for criminal negligence

IANA(legal scholar), but this doesn't seem to fit the definition of criminal negligence for two reasons:

1) Doing a bad job at something and allowing others to come to harm isn't enough. Essentially, you must be aware of the risk of your actions (or inaction), or you must intentionally allow yourself too little information to make a proper decision.

2) I'm pretty sure that once you commit a negligent act, it has to be nature that takes something "the rest of the way." If your act simply allows someone else to commit a crime, then the crime falls the perpetrator, not you.

Keep in mind too, that I'm talking about criminal negligence. You can sue in civil courts on a much broader basis.

In fact, I find your entire comment rather ironic, since you imply that the recent crimes will be an excuse for some 1984-state to implement "MORE draconian measures," but then go on to suggest criminalizing what is essentially poor job performance.

Re:Better Article

[FlyingBishop]

While in principle what you say may be correct, I think using insecure wireless to transfer credit information is a crime in and of itself. That literally amounts to broadcasting the numbers to anyone nearby the store. I'd almost say that goes beyond negligence. That's hitting golf balls off your roof and then claiming you didn't know anyone was down there. Granted, you may not have known - I suppose to take this metaphor to the proper extent we'll say you live in a field in the middle of nowhere. However, you only own the land around your house, and you have no excuse for harming someone by hitting the ball into an area you do not control - that is downright criminal if it hits some(one|thing).

Re:Better Article

Big corps are like that. Stupid things get done all the time... for no obvious reasons.

I'm guessing that most systems were intentioned to be secure, but were either misconfigured, or augmented with things like wireless networks [WEP!] (or with high turnover [or lack of care], folks were running things on faith alone---without anyone really understanding where things go).

For example, the corp I work for will be giving their customers a private key so that whatever we publish with our public key will be readable by them (ie: we need ``secure email''). The whole concept of -them- giving us their public key is beyond our IT department's understanding. And nobody seems to listen to reason. Eh. Big corps are like that.

Re:Better Article

"whoever set the network up for these stores did not do a proper job" or was on it from the beginning...

Re:Better Article

[SCHecklerX]

If you think it's scary for banks, fire up kismet near a doctor's or lawyer's office sometime.

Re:Better Article

[illumin8]

1) Doing a bad job at something and allowing others to come to harm isn't enough. Essentially, you must be aware of the risk of your actions (or inaction), or you must intentionally allow yourself too little information to make a proper decision.

As I understand the case, the criminals installed network sniffers at the retail network headquarters of these companies, and simply sniffed the unencrypted cleartext credit card numbers going across the wire.

I don't think it would be unreasonable to prove that the engineers designing the system should have been aware that this was a major security risk and didn't take adequate steps to prevent it. This is negligence, plain and simple.

I used to thing mandatory licensing for IT workers, similar to the way we license plumbers or electricians was a bad thing, but the more I work in the IT industry and see the incompetence of the average worker, I think it's a necessity. At least it would give consumers a recourse when things like this happened:

"Where your IT professionals licensed?"

"In order to be licensed, isn't it required that you learn how to safeguard data in transit across a network through encryption?"

Judge: "Case closed, awarding punitive damages to the plaintiffs in the amount of $x million."

Because seriously, how is allowing these data breaches to occur any less serious than allowing an unlicensed electrician to install faulty wiring? Sure, nobody will die because of a data breach, but if you count those millions of consumers and the hours each one must spend to clear their credit history of fraud, you're talking several lifetimes worth of lost time. You might as well kill a few people and the outcome would be the same.

Billing department infiltration

[Centurix]

I've always wondered how safe you are when paying utility bills over the phone using a tone phone, like if someone finds a connection at the call centre which takes the card number and listens to tones of card numbers/expiry dates/verification numbers flowing through the line. Maybe it's a little more secure than my paranoid mind thinks, maybe someone knows a little detail on what's involved with these systems?

Re:Billing department infiltration

[unfasten]

Well if you can record the call (and phone boxes aren't hard to tap, though I'm not sure how exactly it would work at a call center) then it's easy to convert the DTMF tones into numbers using a tone decoder.

Here's a link to a DIY hardware version: http://www.bobblick.com/techref/projects/tonedec/tonedec.html And a quick search should turn up software solutions, or you could write one yourself since the tones are standard. Wiki lists all the tones: http://en.wikipedia.org/wiki/DTMF#Keypad

Re:Billing department infiltration

[nbert]

Reminds me of the early 90's when the Chaos Computer Club had its own radio show (I don't know if are still on air). They had this game were you could win a price if you were the first to call a number which was given to the listeners in DTMF tones. Since this show was in the late evening I don't want to know how many people got it wrong and woke someone with a similar number. But usually it only took a minute for someone to figure out the real number with the help of an Amiga (sound cards were not that common in the PC world back then and the Amiga came with all the software you needed for this purpose)

IIRC the game was inspired by a prior show in which they called someone of relative hacker fame and forgot to silence the mic while dialing, thereby disclosing his number unintentionally...

Re:Billing department infiltration

You wouldn't need to decode the number. You could just play the recorded DTMF tones into the phone and it would connected.

Slashdot is days behind the news

[Xenna]

There used to be a time when you read tech-news first on slashdot. Nowadays I read it in my (Dutch) newspaper first (yep, the paper one that they actually have to print and deliver first) end a few days later it appears in /.

What the hell is wrong?

Re:Slashdot is days behind the news

[unfasten]

When exactly did you read it in the paper? Slashdot previously posted this story on the 5th, the day it was annoucned. See: http://yro.slashdot.org/article.pl?sid=08/08/05/1916237

Re:Slashdot is days behind the news

Obviously he means that it used to be that the dupes were on Slashdot before it ended up in the paper newspapers.

Re:Slashdot is days behind the news

Beats me. A while back you could tell the BBC's sci/tech section was taking cues from /., and now it's one to four weeks before the same news show up here, and usually linked to 'articles' with a lot less info.

July 8 http://news.bbc.co.uk/1/hi/sci/tech/7495961.stm
Aug 4 http://science.slashdot.org/article.pl?sid=08/08/03/200240

Re:Slashdot is days behind the news

[ShaunC]

There used to be a time when you read tech-news first on slashdot.

If it's any consolation, this appears to be a quasi-dupe of this story from a few days ago. It's not the same article, but it's the same event. Slashdot wasn't days behind until they posted the dupe.

Re:Slashdot is days behind the news

[dr_zukov]

Your newspaper has started to pay attention to tech stories.

Re:Slashdot is days behind the news

[noidentity]

More importantly, why does it matter whether we discuss this news story the day it happens, or a few days later? Slashdot is for geek discussion about stories, not to simply get the stories so one can take timely action.

Was the ring working in a windowless environment?

[hansraj]

;-)

It is sad

[Erie+Ed]

There is such a big difference between people who do it for the fun, and challenge, and those who do it for personal gain. I really wish the media would pick up on these differences. Me personally I enjoy the challenge, and find it to be fun, and I consider myself a hacker. Of course if I went around telling people that they would get this idea that "I'm the bad guy who wants to steal all of your personal information". They really need to do some investigative reporting to see that there are white hat hackers and black hat hackers...of course with media outlets such as fox news, cnn, msnbc, etc...they tend not to seek out the truth.

Re:It is sad

[sir+fer]

To paraphrase "never let the truth get in the way of a good story, especially if it complicates the issue!"

Re:It is sad

[inasity_rules]

Don't forget all the hard hacks too. They're fun, a challenge and (mostly) even legal.

Signed

An Electronic Eng Student

Re:It is sad

[inasity_rules]

Don't forget about hard hacks and hard hackers... They're fun, a challenge and (mostly) even legal... :-)

i don't even it

sorry, it is odd to me.

Who foots the bill?

[brucmack]

So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?

Re:Who foots the bill?

[Bravoc]

So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?

The credit card company raises my rates to cover their expenses, the government uses my taxes to pay for the investigation and prosecution, looks like I'm paying for it!

Drinks for everyone! Here, use my card!

Re:Who foots the bill?

[budword]

The customer always foots the bill, sooner or later.

Re:Who foots the bill?

[Stanislav_J]

So, who foots the bill for this? The retailer, the credit card comany / debit card issuer, or the customer?

The credit card company raises my rates to cover their expenses, the government uses my taxes to pay for the investigation and prosecution, looks like I'm paying for it!

Dude, the customer pays for everything one way or another -- haven't you figured that out by now?

Re:Who foots the bill?

Whichever one isn't a jew.

Re:Who foots the bill?

[funkyfantom]

You are only paying for it as a credit card user if you don't pay your bills on time, which is financially very unwise.

Defendant worked for the Secret Service

[unfasten]

The main defendant in this case, Albert Gonzalez, used to be a informant for the Secret Service and cooperated in the Operation: Firewall case 4 years ago. Apparently they didn't keep a very good eye on him while he was working for them or after they were done with him. He became an informant after he was arrested around mid-2003 and the case lasted until the end of October, 2004. So according to this Washington Post article (which got the informantion from the indictment someone linked above) he was actively committing crimes at the same time he was an informant:

-- In about 2003, Gonzalez and others found an unencrypted wireless access point at a BJ's Wholesale Club store. BJ's reported a breach of its computer networks in early 2004.

-- In 2004, other members of the ID theft ring compromised an OfficeMax wireless access point in Miami, and they were able to steal credit card data. After law enforcement officials in 2006 identified OfficeMax as the victim of a data breach, the company said it hired an outside auditor to conduct an investigation and found no evidence of a security breach. An OfficeMax spokesman didn't immediately return a message seeking comment.

So either the Secret Service was letting this go on just so they could make one bust, or they had no idea that their own informant was committing major breaches while under their supervision. Also, how stupid is this guy that he didn't even stop breaking the law after getting busted and becoming an informant? Some people are just begging to be sent to prison, and it looks like the prosecuters are going to grant his wish. For the rest of his life if they have their way.

P.S.: The Threat Level post with the info about him being an informant also contains a link to another case about another informant who was stealing social security numbers while working on a computer inside the Secret Service offices.

The usdoj.gov website seems to be down for me at the moment but should come back up eventually.

Re:Defendant worked for the Secret Service

[u38cg]

I'm not really getting the thrust of your argument. Informants are, by definition, most likely to be criminals or criminal accessories. What's your point?

Re:Defendant worked for the Secret Service

[ya+really]

I'm not really getting the thrust of your argument. Informants are, by definition, most likely to be criminals or criminal accessories. What's your point?

I believe his point is, they were supposed to be former criminals, in the past tense. Law enforcement's job is to see that they stay that way, not to go run amok with 40+ million credit cards.

In the case of the other informant he linked, the guy stole information directly from the Secret Service office's computers while the agents are on duty (though probably off viewing porn while the informant conducts non-authorized criminal activity). Mind you, they had a huge monitor displaying whatever the informant was doing on there aside from keylogging. Seriously, that's a huge lax on monitoring, if they can't even watch an informant in their own office. Makes you wonder if they are even capable of doing their jobs.

He's basically saying that this bust is just a front for the US government cleaning up a mess they created in 2003 by not initially locking this guy up or restricting his computer access/monitoring him more closely.

One other thing, the informant did absolutely no time for all previous criminal activity he conducted before turning informant, after his initial arrest in 2003 (which according to the FBOP inmate tracker, he is 27). Thus, he could have been doing this for some time. Basically, he got a free pass on whatever crime he did before his intial arrest, plus almost five more years of reeking havoc on the banking system. This is in sharp contrast to what most people would assume "informing" is, where a criminal cuts a deal for reduced time or perhaps probation/house arrest, but still gets charged. This guy however has not been charged, until now.

Re:Defendant worked for the Secret Service

[phayes]

Time to wakey wakey young one, the world is more complicated than your parents told you...

In order to catch a thief, law enforcement officials will use people who are criminals themselves. When, in the course of an investigation, they have enough evidence to put away suspect A, A will often turn over information on other people the government wants to put away more. As the leaders of criminal organizations usually protect themselves by passing orders on to underlings & often do not commit overtly illegal acts themselves, this is the only way to collect enough evidence to put them behind bars.

However, turning states evidence, will not protect A a second time if he continues to break the law unless he can once again deliver on someone that the DA wants more than A.

I see nothing abnormal in putting in prison a criminal who was too dumb to stop committing crimes.

Re:Defendant worked for the Secret Service

[Oligonicella]

"Law enforcement's job is to see that they stay that way,..."

Uh, no. It is law enforcement's job to apprehend people who have committed a crime. It is not their job to ride shotgun on people who have in the past committed crimes, only to catch them again if they repeat.

Re:Defendant worked for the Secret Service

Alberto Gonzales was involved! No wonder the DOJ is so messed up!

Wait, nevermind

Re:Defendant worked for the Secret Service

[ya+really]

Note when I said "they," that was a pronoun for the 2 INFORMANTS, not criminals in general, jeeze. And seriously, you can't obviously say they should have allowed the one informant to have basically "free reign" of law enforcment computers and databases to conduct his own personal criminal activity. There is a line between allowing some criminal activity to catch other criminals and then there's just outright crime (in this case, the later). Both were obviously conducting criminal activity while informing, which carries the same sort of implications as being on probation because that's the time when someone is most likely to lapse back into crime. They monitor you when you're on probation in an effort to detour it. However, whatever you do afterwards is that person's own problem and they suffer the consequence when caught. LE has no obligation to monitor after that point (probation) without probable cause.

priceless

[dbcad7]

hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged.

To which they replied.. "put it on the card"

Re:Was the ring working in a windowless environmen

[TC1116]

Yes, and with a $12 computer.

This was in Wednesdays newspaper!

[Rick+Richardson]

This was in Wednesdays newspaper!

Kill some trees! Better than Slashdot!

Re:This was in Wednesdays newspaper!

[Redneck+Hacker]

This was in Wednesdays newspaper!

It was also in Tuesday's /.

Hacking Ring Nabbed By US Authorities

Hacking Ring Nabbed By US Authorities

Slashdot americans are so cute. In one article you complain about the "spin" authorities and the president campaigns use to fool the population. Next, you swallow it all, even the feet and ears, when the spin is that the authorities are in control. You're so gullible it's endearing.

Are they trying to freshen up Captain Planet?

[metamechanical]

I mean, Heart was a bit of a stretch, but Hacking?

one time CC numbers

[timmarhy]

ALL of this could be ended if visa and mastercard changed to single use CC numbers. if they gave me a token that created a new CC number with each transaction it might actually justify that annual fee the assholes charge me.

Re:one time CC numbers

[maxume]

If you don't feel you are getting your money's worth from the annual fee, you should consider switching to one of the hundreds (thousands?) of cards available without an annual fee.

Re:one time CC numbers

[AvitarX]

Maybe he/she was referring to the merchant fees (the part that actually goes to VISA). These are (for me) $0.50 transaction and 2% of gross.

Don't worry though, it's the customers, credit cards or no, that pay these fees in the end. SInce profits are low enough and it is a competitive business, without the fees, prices would be lower.

Re:one time CC numbers

[maxume]

It is pretty clear from the context that he is talking about the annual fee he pays to use a credit card, not a merchant account.

Clearly you think you make more money by doing business with the CC companies (or you would stop!), so why bother complaining about it?

Re:one time CC numbers

[barzok]

How's that going to work when you're out at a store? For online shopping it's real easy, but when you're waiting in line at the supermarket?

Re:Was the ring working in a windowless environmen

[DoctorPepper]

The NES version, or the Apple ][ version?

Good - Hang the fsckers

[xgr3gx]

But they'll probably just end up going to club fed for 2 years

Wow, Ring of Hacking +3

Is this something I can buy in World of Whorecraft?

(I hope this isn't about golf hackers...)

Deja Vu

[kiehlster]

I feel like I read this somewhere before. Oh, that's right, on Tuesday. I think it was plainly obvious that the 11 charged were in a hacking ring whether the verbage was included previously or not. Why don't we start tagging these as repeat news?

Re:Deja Vu

[Electric+Eye]

Thank you. I was just about to post the exact same comments.

Sort of Frightening

[b4upoo]

The people arrested were in several nations. What is unusual and a bit frightening is that it seems like they were able to get arrest warrants or whatever was needed crossing international lines really quickly. It almost seems like some uber government organization was at work on this affair.

Re: Sort of Frightening

[Ungrounded+Lightning]

What is unusual and a bit frightening is that it seems like they were able to get arrest warrants or whatever was needed crossing international lines really quickly.

What makes you think it was quick. It doesn't hit the news until after the announcement, which is after the bust. If it takes two hours, two weeks, or two months to push the paper the visible timing is the same.

Until more information comes out the only date you have to put a limit on how much time it took is the time of the crime.

It almost seems like some uber government organization was at work on this affair.

Like Interpol? B-)

Cops - both generic and specialized (like the Secret Service for currency-related crimes) have been working together across national borders almost since there have been both cops and national borders.

Re: Sort of Frightening

[ya+really]

The people arrested were in several nations. What is unusual and a bit frightening is that it seems like they were able to get arrest warrants or whatever was needed crossing international lines really quickly. It almost seems like some uber government organization was at work on this affair.

Only seems to be the case if they happen to cross over into a pro-western country. If you want to break the law, appearently it's relative safe in the former Soviet states.

Suspects seem to be relatively safe so far in much of the former Soviet Union. From the cases I've read, the only ones caught were entrapped somehow (convinced by the feds undercover to come to the US or elsewhere) or in this case, on vacation.

Then, you have cases where the feds try to make an arrest in former soviet states and this happens They capture the guy, know it's him and then two most likely corrupt members of their paliament "vouch" for him, lol. Pretty certain he had or was working with mafia connections. Most likely, he's back in the scene now stealing more credit cards. In many ways, this is exactly like the war on drugs.

Re: Sort of Frightening

this is exactly like the war on drugs.

Except for the part about the war on drugs locking up hundreds of thousands of consenting adults for victimless nonviolent crimes, versus credit card theft having actual victims involved...

Re: Sort of Frightening

[ya+really]

It's like the war on drugs in that they don't reach the acutal source of the problem. The real backers of much of this are in countries the US cannot get to, just like the war on drugs. Instead, law enforcment ends up mostly picking up the lower level criminals in the US and Western nations, which might be a small setback for the ones pulling the strings, but there's always those out there ready to take the place of those arrested.

Innocent until proven guilty?

The members of a hacking ring responsible for stealing more than 40 million credit and debit card numbers from retail organizations in the US have been caught and charged.

You wouldn't think so from the summary. So much for the presumption of innocence.

This is entirely for show

[jskline]

This really is entirely for show politically. There are too many strategic positions up for grabs in November that just spoke volumes of "We need to look good"... Yea, I'm speaking to some republicans out there! You know who you are. Who's eyes are you trying to pull wool over??

Fact is there is too much of this out there and these guys are not the only fish out there.

Bail was set at $10,000,000 each...

[clt829]

which they promptly paid by credit card.

One time CC numbers can be abused too

[Solandri]

Apparently one-time use credit card numbers don't protect you either. I'd been wondering how a thief managed to charge something to my replacement credit card after I'd reported the old one stolen and had it canceled. If a merchant makes a manual (instead of electronic) claim with the credit card vendor, it will go through even if the credit card numbers are expired, the amount is over the limit, or you've been issued a card with new numbers. You can of course dispute the charge, but you have to spot the fraudulent charge first in order to dispute it. The only way to protect yourself from this type of fraud is to close the account, which is the same thing as not having a credit card.

What does the US govt know?

I'm starting to think that the US government has no business enforcing the law regarding technology at all.

Between the "rogue sysadmin" in San Francisco who was just doing his job, and the "56K dialup hacker" in Britain who it turns out was just using Google, I don't see where the US Government has any business busting a "hacking ring". They wouldn't know a hacker if one walked up and bit their nuts off.

Now every time I see a "US govt arrests hacker" story, I'm going "Now what, some girl scouts were selling cookies without a permit?"

This is why I only buy online.

[elhaf]

n/t

Is this related to the 7-11 / Chase ATM crack?

[Ungrounded+Lightning]

They just backdoored the reception system so they didn't just get the card numbers that were being used in that store, but in all of whatever chain of stores.

A month or so ago I heard of a bust of a team that had done a similar "backdoor the server" crack that got the card numbers and PINs of essentially everybody who had used the ATMs at 7-11 nationally for several months.

Does anybody know if that crime and this one are related (other than by compromising the server)?

Is this why...

I wonder if this why I've been receiving lots of phone calls from all sorts of debt collection agencies trying to collect debt from me, for companies I've never even done business with?

reaction out of proportion

[Benjamin_Wright]

Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html